On January 17, 2006 a (now former) developer named Hartmut Birr claimed on the ReactOS Developers mailing list (ros-dev) that ReactOS contained code derived from disassembling Microsoft Windows. As a result of this, the project's developers decided to temporarily suspend access to files of the operating system for non-developers while the contributors were contacted to ensure clean reverse engineering. Since ReactOS is a free/open-source software development project, this action caused a negative reaction by the free software community. Contributors to its development were not affected by this action, and all access to the software development tools was restored shortly afterward.
Consequently, from March 2006 through December 2007, an internally conducted source code audit was carried out to ensure that only clean room reverse engineering was used. All developers were also made to sign an agreement committing them to use only clean room reverse engineering. In September 2007, with the audit nearing completion, the audit status was removed from the ReactOS homepage. Though the audit was completed, specific details were not made public as it was only an internal effort to ensure legally produced code.
In spite of the internal audit's claims to have found no definitive proof, RosAsm's developer, Betov, claimed that the most suspect files were missing from the list of files selected for the audit. In response to this, the ReactOS developers made a public statement where they "agree that the files, pointed by Betov, in the ReactOS sources [...] belong to Microsoft" but also declare that they "are in the opinion that using these materials is legal, and is not a problem." The license covering the code, available here, is the standard EULA that comes with the Windows NT Device Driver Kit, which allows the user to "modify the sample source code ("Sample Code") to design, develop and test your Software Product, and reproduce and distribute the Sample Code with such modifications in source and object code forms". It is unclear if such an agreement would be applicable to a 'clone'.
Concerns have also been raised about ReactOS more generally, because of differing definitions of 'clean-room' engineering. ReactOS could be potentially threatened by patents owing to the implementation of certain features (like support for the patented long file name kludge).
Despite all the concerns and as yet untested allegations, the source code of ReactOS has since the initial lockout remained available (and thus open for inspection).